The World Cup? The Met Gala? P-Diddy’s White Party? They’re all fine, but for marketers the real event of the season happened on May 25th when the European Union finally rolled out its General Data Protection Regulation. The regulation is the single most comprehensive change to European data privacy laws in more than two decades and anyone doing digital in Europe has an invitation to the GDPR Party whether they want to attend or not
The new regulations take aim at the modern realities of a data-driven economy. It requires that companies must have valid reasons for processing personal data, strengthens requirements for data security and accountability from companies doing digital business in the EU, and provides new guidelines for how the online advertising industry collects, uses, and shares personal data across the digital ecosystem. In effect, it alters, and in some cases limits marketers ability to deliver data-driven advertising. As a technology provider built on data, IAS has been on the front lines studying the new regulation and to make sure we continue to offer our clients the best possible service under the new regulation.
We received a lot of questions around GDPR, but we’ve picked a few of the most important and frequently asked ones to answer here:
Are IAS data processing functions compliant with the terms of GDPR?
Yes! IAS’s viewability solutions measure and report on the performance of impressions and our brand safety verification solution protects brands by providing both monitoring and blocking of risky content. Brands can still rely on our dynamic, page-level scoring to verify the level of safety next to their ads and on our viewability measurement and verification services to ensure that their ads are in-view.
A handful of other offerings that do rely on data considered personal data under the new regulation have been withdrawn from EU markets while we explore alternative solutions. IAS looks forward to providing this measurement capability to our EU customers once an alternative solution is available and/or an industry-wide consent management platform is made scalable.
Which IAS solutions were impacted by GDPR?
- Ad fraud and IP address-based geolocation measurement: These products use data points defined as “personal data” under the GDPR in order to provide the ad fraud and geolocation components of the IAS verification services to our clients and to help better the overall advertising ecosystem. This specifically includes how IAS collects, processes, and stores IP addresses and other less specific personal data points such as device information. Our technology identifies and eliminates ad fraud based on proprietary algorithms that monitor and track the behavior of these data points.
- Consumer exposure: IAS has made the decision not to offer this solution in the EU at this time due to its design-based dependency on cookies. IAS looks forward to providing this measurement capability to our EU customers once a cookie-less solution is available and/or an industry-wide consent management platform is created and made scalable.
- Log-level reporting: Reporting for campaigns has been updated to comply with new regulation ensuring that no data now classed as Personal Data is collected or shared in this granular reporting functionality.
Beyond these specific changes to our offerings IAS has undertaken a wholesale effort to operationalize the new data protection and privacy requirements applicable to our processing of personal data across all of our solutions and internal practices.
What did IAS do to prepare for GDPR?
In the later half of 2017 we appointed a GDPR team with representation from business functions including: Legal, Compliance, Engineering, Marketing, HR, Finance, Network Security and Product to study and address the requirements of GDPR. After fully assessing the impact of the regulation, this team worked to update data processes and manage any necessary changes to the IAS product suite while working to preserve the comprehensive end-to-end verification and measurement solutions our clients rely on.
Key steps taken by our GDPR team included:
- A review of all systems and processes used to handle data
- Complete documentation of current data handling practices
- An assessment of what, if any, technical or process changes should be implemented
- Updating or changing corporate processes and policies concerning employee and prospective employee data
- Enhancing the diligence process used to vet service providers to confirm compliance with applicable GDPR requirements
- Increasing awareness of these new requirements throughout the IAS organization
- Updating Privacy Policies, Information Notices, Company Documentation, Contracts, and Vendor Agreements
Did IAS partner with any industry bodies to prepare for GDPR?
As always, IAS continues to be an active participant in conversations around data privacy and consent management. That includes participating in an industry wide conversation around Consent Management Platforms and aligning to Consent Management Frameworks. This work included our support of the IAB Europe’s cross-industry Consent Management Framework initiative.
In addition to our work with industry bodies and regulators, IAS engaged in a rigorous review process with our ecosystem of partners to ensure that any partner involved in the handling of Personal Data is compliant with new regulations and has updated their data handling practices.